1. User Guide
  2. Roles, Users, and Security Access

2 Roles, Users, and Security Access

This chapter provides information about creating user security roles and managing user access to Oracle Retail Xstore Office. The User Roles and Users and Security Access features provide the ability to create security roles and to grant privileges to users for one or more areas of Oracle Retail Xstore Office based on these roles.

Note:

Security

Any users in an Org Node higher than the logged-on user will not be displayed in the Admin Users list. In addition, the logged-on user cannot add Org Nodes that are higher than the org nodes he/she is assigned to. Security privileges are associated with Oracle Retail Xstore Office actions.

Oracle Retail Xstore Office Areas Controlled by Security

  • Administration

  • Configurator

  • Data Manager

  • Deployment Manager

  • Home Page

  • Reports

  • Support

About this Chapter

This chapter contains the following sections:

User Roles

Note:

The Role of ADMINISTRATOR is required. This role defaults to access for every privilege and has a rank of 150.

Oracle recommends that you set up at least one ADMINISTRATOR user. Once this administrator user has been set up, delete the initial (default) administrator user account for security purposes.

Access to different areas of Oracle Retail Xstore Office is controlled by assigning security Roles to the users. This section provides information about defining the user roles that will then be used to grant specific privileges to a user.

Creating/Editing User Roles

  1. From the Oracle Retail Xstore Office menu, select System, then Xadmin Users, or click the Xadmin Users link in the System panel.

  2. At the Xadmin Users page, click User Roles.

    Figure 2-1 Xadmin Users Page


    Xadmin Users Page

  3. At the User Roles page, create a new User Role, edit an existing User Role, or delete an existing User Role:

    • To create a new Role, click Add New. The User Roles window displays and the fields are blank.

    • To edit an existing User Role, select the Role from the list. The User Roles window displays and the fields are populated with the current Role information.

    • To delete a User Role, select the Delete icon (X).

  4. Complete the required fields. (All fields are required.)

    Figure 2-2 User Roles Window - Add New Role Example


    Add New User Role Window

    • Organization - Select the Organization ID and name from the list.

    • Role ID - Type the role identifier. Spaces and special characters are not allowed in this field. When editing an existing role, this field cannot be changed.

    • Description - Type a description for the role.

    • Xadmin Rank - Type a numeric rank number for Oracle Retail Xstore Office. This rank is evaluated when creating a new Oracle Retail Xstore Office user in User and Security Access. An Oracle Retail Xstore Office user cannot assign a role to a new user that has a greater numeric rank than his/her Xadmin rank. For example, a logged-in user with a rank role of 50 cannot edit or create a rank role of 51 and above.

    • Xstore Rank - Type a numeric rank number for Oracle Retail Xstore Point of Service. This value is the rank associated to the user within the Oracle Retail Xstore Point-of-Service application and corresponds to the role the user holds within Oracle Retail Xstore Point of Service. This rank is evaluated when creating or editing an Oracle Retail Xstore Point-of-Service employee in Data Manager - Employees. An Oracle Retail Xstore Office user cannot assign Oracle

      Retail Xstore Point-of-Service security groups to an employee that is ranked higher than his/her Oracle Retail Xstore Point-of-Service rank.

    • Privileges - Select each role privilege from the list of Available options and click the arrow button to move the role or roles to the Selected window:

      • Double right arrows icon Double right arrows - Add all privileges to the Selected window.

      • Single right arrow icon Single right arrow - Add selected privilege to the Selected window.

      • Single left arrow icon Single left arrow - Remove selected privilege from the Selected window.

      • Double left arrows icon Double left arrows - Remove all privileges from the Selected window.

      • To select several privileges at the same time, hold down the [Ctrl] key on the keyboard while selecting each privilege you want to assign to the role you are creating or editing. Click the single right arrow button to move the privileges from the Available window to the Selected window.

      • You can also hold down the [Shift] key in the same manner to select all the privileges between the first privilege you select and the last privilege you select. Click the single right arrow button to move the privileges from the Available window to the Selected window.

  5. Click Save to create or update the role.

    Note:

    A Delete icon (X) is available for roles you create. However, if a role has been assigned to a user it cannot be deleted.

About Privileges

The available privileges for Oracle Retail Xstore Office are grouped by category: Administration, Configurator, Data Manager, Deployment Manager, Home Page, Reports, and Support.

Make sure you set up Oracle Retail Xstore Office privileges properly.

  • For example, in Deployment Manager, the Deployment Plan privileges for View Deployment Plans and Create/Edit Deployment Plans technically work together. If you just have View privilege, you can only view deployment plans (as expected). However, you must have both privileges (view and create) in order to Create or Edit.

  • The same is true for the Configurator privileges. If you just have Discounts or Menus and so on., you cannot do anything. You must also have the Configurator privilege and the Global Configurations or Configuration Overrides privilege to be able to get to the Discounts/Menus/Receipts selection page.

  • If a user does not have the privilege for a specific home page panel, then it will not be displayed when the user logs into Oracle Retail Xstore Office. There are six panels in the Oracle Retail Xstore Office base configuration, so there are six privileges available. Also, if the user has access to the home page panel itself, but not to any of the options contained within it, then the panel will not be displayed.

Administration

Administration Security Privileges:

  • Attachments

  • Available Locales

  • Broadcasters

  • Credentials Storage

  • Customizations

  • Integrations

  • Job Management

  • Lock/Reset Account

  • Organizations

  • Setup Pay By Link

  • Store Authorization Manager

  • Store Enrollment

  • System Manager

  • User Roles

  • Users and Security Access

  • Xadmin Settings

  • Xadmin Users

  • Xoffice Cloud Store Enrollment

Configurator

Configurator Security Privileges:

  • Code Value

  • Configuration Overrides

  • Configurator

  • Copy Store Configurations

  • Customer Displays

  • Delete Profile Element Configurations

  • Discounts

  • Global Configurations

  • Landscape Maintenance

  • Menu Configuration

  • Menus

  • Personality Maintenance

  • Profile Maintenance

  • Profile Management

  • Reason Codes

  • Receipts

  • Schedule Deployment

  • Security

  • Security Groups

  • Security Privileges

  • Store Personality Maintenance

  • Store Specific Overrides

  • System Config

  • Tab Configuration

  • Tender Maintenance

  • Tender Options Maintenance

  • Tender Security Settings

  • Tenders

Customization

  • Delete Customization

  • Export Customization

  • Upload Customization

Data Manager

Data Manager Security Privileges:

  • Attached Items

  • Avalara Tax Data Refresh

  • Currency Exchange

  • Data Manager

  • Data Publisher

  • Employee

  • Employee Tasks

  • Item Matrix Manager

  • Item Message Maintenance

  • Item Pricing

  • Item Restriction Types

  • Item Restrictions

  • Items

  • Legal Entity [Country Pack ONLY]

  • Merchandise Data Refresh

  • Merchandise Hierarchy

  • Merchandise Hierarchy Maintenance

  • Merchandise Items

  • Non Merchandise Items

  • Organization Hierarchy

  • Organization Hierarchy Levels

  • Organization Hierarchy Maintenance

  • Store Collections

  • Store Communications

  • Store Messages

  • Stores

  • Tax Authority

  • Tax Brackets

  • Tax Elements

  • Tax Group

  • Tax Location

  • Tax Rates

  • Taxes

  • Vendor

Deployment Manager

Deployment Manager Security Privileges:

  • Approve Deployment Wave

  • Cancel Deployment

  • Create/Edit Deployment Plans

  • File Deploy

  • File Upload

  • Purge Deployment Files

  • Schedule Planned Deployment

  • Schedule Single Deployment

  • Unapprove Deployment Wave

  • Upload File to Deploy

  • View Deployment Plans

  • View Deployments

Note:

The File Deploy privilege should not be assigned to the same role as either the File Upload or Upload File to Deploy privilege.

Home Page

Home Page Panel Security Privileges:

  • Home Page

  • Home Page Config Management Panel

  • Home Page Data Management Panel

  • Home Page Deployment Panel

  • Home Page Reports Panel

  • Home Page Support Panel

  • Home Page System Panel

Reports

Reports Security Privileges:

  • Airport Authority Report

  • Best Sellers Reports

  • Credit Card Report

  • Customer Account Activity Summary Report

  • Customer List Report

  • Daily Sales Report

  • Daily Sales Total Report

  • Daily Sales and Cash Report

  • Dashboard Report for Sale

  • Electronic Journal

  • Employee Performance Report

  • Employee Tasks Report

  • Flash Sales Report

  • Gift Certificate Report

  • Inventory Stock Cost Report

  • Item List Report

  • Journal Report

  • Layaway Account Activity Report

  • Layaway Aging Report

  • Line Void Report

  • No Sale Report

  • Post Void Report

  • Post Void Summary Report

  • Price Change Report

  • Price Override Report

  • Receiving Exception Report

  • Receiving Report

  • Returned Merchandise Report

  • Roll-up Stock Valuation Report

  • Sales by Department Report

  • Sales by Department and Employee Report

  • Sales By Hour Analysis Report

  • Sales By Hour Report

  • Sales Overview Report

  • Shipping Exception Report

  • Special Orders Report

  • Stamp Tax Report

  • Stock Valuation Reports

  • Store Locations Report

  • Suspended Transaction Detail Report

  • Suspended Transaction Summary Report

  • Tax Exemption Report

  • Transaction Cancel Detail Report

  • Transaction Cancel Summary Report

  • View Reports

Support

Support Security Privileges:

  • Alert Console

  • Alert Settings

  • Deployed Oracle Retail Xstore Point-of-Service Versions

  • PosLog Publisher

  • Temporary Store

  • Replication Status

Admin Users - Using Roles to Grant Access to Oracle Retail Xstore Office

Once you have created Roles, you can grant user access to Oracle Retail Xstore Office by assigning a Role, and its associated privileges, to the user.

Creating New Oracle Retail Xstore Office User Accounts

Perform the following steps to grant other users access to Oracle Retail Xstore Office components. To change an existing user's account privileges, see Editing Oracle Retail Xstore Office User Accounts.

  1. From the Oracle Retail Xstore Office menu, select System, then Xadmin Users, or click the Xadmin Users link in the System panel.

  2. At the Xadmin Users page, click Users and Security Access.

    Figure 2-3 Xadmin Users Page


    Xadmin Users Page

  3. At the Users and Security Access page, click Add New to create a new user account.

    Figure 2-4 Users and Security Access Page


    Users and Security Access Page

    Note:

    If there are more than 200 Oracle Retail Xstore Office users in your organization, a Search page displays rather than the employee list as shown in Figure 2-5 above. Click Add New to create a new user account.

  4. Enter the information as required to grant security privileges for new users:

    1. User ID - REQUIRED

      Note:

      The User ID Minimum Length is set in System - Xadmin Settings - User Account.

    2. Authentication Type - If applicable, select the authentication type, Internal Xadmin directory or LDAP directory.

      Note:

      Authentication Type is only available if LDAP authentication is enabled. If using LDAP Authentication you are not prompted for password information. Also, password reset and password change functionality is not available. See LDAP Authentication for more information.

    3. First Name - REQUIRED

    4. Last Name - REQUIRED

    5. Password & Confirm Password - REQUIRED FOR MANUAL PASSWORD METHOD See Passwords: Special Characters & Rules for more information about password validation.

      Note:

      The Password and Confirm Password fields are not available if using the Static password method or the Algorithm method when creating new user accounts. See Password Options - Non LDAP for more information about static passwords and algorithm passwords.

    6. Locale - This list contains the available locales defined for your organization; defaults to English United States.

    7. Email - Enter the user's email address, if applicable.

    8. Account Locked check box - After a configurable number of consecutive unsuccessful login attempts, the user's account will be automatically flagged as locked and the user cannot access the system until you reset the lock flag here. You can also select this check box to lock a user out of the system. This functionality is not available for LDAP users.

  5. Click Add New, to add users organization, role and org nodes. The system displays the Add users organization, role and org nodes window. Select the following.

    1. Organization - Select the organization ID the user has access to from the list.

    2. Role - Select a role for the user.

    3. Organization Nodes - Specify which stores the user has access to:

      • Select the globe icon. The system displays a list of organization nodes defined for your organization.

      • Select which nodes/stores the user will have access to, and click Add. The system displays the selected organization nodes.

      • The nodes you selected are shown, along with a Delete option you can use if you need to remove access to an Organization Node for the user.

        Note:

        You can add and delete multiple organization nodes.

    4. Enable dashboard as home page check box - Select the check box to enable the Dashboard as your home page.

      Note:

      The Dashboard can only be enabled as home page, when a single store node is assigned to the user.

    5. Click OK to save your entries. The system displays the User screen and updates the list of assigned organizations for the user.

      Note:

      Multiple organizations and roles can be added to the same user by clicking Add.

  6. Click the Save button to create the new user account.

    The new user account is added to the list of Oracle Retail Xstore Office Users. When the new user logs in to Oracle Retail Xstore Office, only the components for which the user has been granted access will be active on the Oracle Retail Xstore Office menu and panel links.

Editing Oracle Retail Xstore Office User Accounts

  1. From the Oracle Retail Xstore Office menu, select System, then Xadmin Users, or click the Xadmin Users link in the System panel.

  2. At the Xadmin Users page, click Users and Security Access.

    Figure 2-5 Xadmin Users Page


    Xadmin Users Page

  3. At the Users and Security Access page, select a user account from the list.

    Figure 2-6 Users and Security Access Page


    Users and Security Access Page

    Note:

    If there are less than 200 Oracle Retail Xstore Office users in your organization, the list of users will be shown automatically without requiring a search. Otherwise, enter search criteria to find an Oracle Retail Xstore Office user account.

    Note:

    A delete option is available to allow you to remove an Oracle Retail Xstore Office user account. If selected, you will be prompted to confirm the user account should be deleted. Always make sure at least one user has access to the ADMINISTRATOR role before deleting user accounts.

    Note:

    Xstore will not be deleting any users in Xadmin as part of the Right to be Forgotten Data Privacy effort. Xadmin users will need to be deleted in a separate process triggered by you, the retailer.

  4. The Edit User page provides the fields that can be edited for the selected user account. Refer to step 4 on page 9 for more information about the fields.

    About editing fields:

    • The User ID cannot be changed.

    • The Authentication Type cannot be changed after setup.

    • When editing existing users, a Reset Password option is available for static and algorithm password methods. See Resetting a User's Password.

    • If you changed the Security Role setting, the user's access to Oracle Retail Xstore Office components is updated accordingly. When the user logs in to Oracle Retail Xstore Office, only the components for which the user has been granted access will be active on the Oracle Retail Xstore Office menu and panel links.

  5. Click Save to apply the changes to the user's account.

Password Options - Non LDAP

There are three options for creating passwords for new users and/or users that request a password reset. These configuration options are set in Xadmin Settings. See System Management, Oracle Retail Xstore Office Configuration for more information about setting up password options.

  • Manual Setup - Using this option, the administrator creates each password and then communicates it to the user. When creating a new user, the Password text box must be populated with a password that meets the standards set by other Oracle Retail Xstore Office password configurations defined in Xadmin Settings, User Accounts section.

  • Static Passwords - Using this option, the administrator first sets up a static (universal) password within Oracle Retail Xstore Office Settings for all new users, for example A@23456. This static password will be temporarily used by new Oracle Retail Xstore Office users, and users that have requested a password reset. A Password text box is not needed on the Edit User page since a static password is used for all new users. The Oracle Retail Xstore Office user will be prompted to change this password the first time he/she logs into the system.

  • Auto-generated Password Via Algorithm - Using this option, the password is created automatically for the user based on a predetermined algorithm. The algorithm contains aspects of the user profile that can be communicated easily. The algorithm currently used is as follows:

    • The first letter of the user's first name (upper case).

    • The first letter of the user's last name (lower case).

    • The @ symbol.

    • The month and year in which the user record is created (when the password is requested) in MMYYYY format.

The Oracle Retail Xstore Office user will be prompted to change this password the first time he/she logs into the system.

Passwords: Special Characters & Rules

Table 2-1 Valid Password Special Characters

Character Description

!

exclamation mark

#

pound or number sign

$

dollar

%

percent

&

ampersand

(

open parenthesis

)

close parenthesis

*

asterisk

-

minus or hyphen

=

equal

?

question mark

@

at

[

open bracket

]

close bracket

ˆ

carat

_

underscore

{

open brace

}

close brace

|

pipe or bar

~

tilde

+

plus

Table 2-2 Invalid Password Special Characters

Character Description

'

apostrophe or single quote

`

back quote

\

back slash

:

colon

,

comma

>

greater than

.

period

"

quote

;

semi-colon

/

slash or forward slash

Password & User ID Configuration

Password & User ID settings are configured in System - Xadmin Settings - User Account category. These settings include the following:

Method of Creating Password for New Users - The method used to create the password for newly added users. See Password Options - Non LDAP for more information about the three options available.

Number of Capital Letters Required for a Password - The minimum number of capital letters that should appear in a password. The minimum number is zero (0).

Number of Changes Before a Password Can Be Reused - The number of password resets within which associates are not allowed to reuse the same password. For example, setting the value to 12 ensures a user's new password cannot match any of his/her 12 previous passwords. A setting of zero (0) means that the same password can always be reused.

Number of Consecutive Characters Allowed in a Password - The maximum number of times that any given symbol or character can repeat consecutively within the password string. The minimum number is one (1).

Number of Login Attempts Before Account Is Locked - The number of times an invalid password can be entered before the account is locked. The minimum number is one (1).

Number of Numbers Required for a Password - The minimum number of digits that should appear in a password (accepted values = 0-9). The minimum number is zero (0).

Number of Special Characters Required for a Password - The minimum number of special characters that should appear in a password. The minimum number allowed is zero (0). See Passwords: Special Characters & Rules for a list of valid special characters.

Password Expiration Days - The number of days that a password can be used before it expires. If a user successfully logs into Oracle Retail Xstore Office (enters valid user name and password), but the password is older than the configured number of days, the user will be rerouted to the Change Password screen and will not be able to access the system until the password has been successfully changed.

Password Length - The minimum length of a password. If a value of 1 is set, passwords have no minimum length, but cannot be empty/blank.

User ID Length - The minimum number of characters that must be used in order for a user ID to be valid.

See System Management for more information about the password configuration options.

Additional Password Requirements

  • A user's password cannot be the same as his/her user ID.

  • Passwords cannot contain null or space characters (space, tab, carriage return, \0, for example). Note that leading or trailing null and space characters are silently trimmed by the UI automatically.

Resetting a User's Password

Use the Reset Password function to manually reset user passwords when needed. This option is available with Static and Algorithm password generation methods only.

Note:

If Oracle Retail Xstore Office is configured for Manual password generation, simply change the password in the Password field on the Edit User page:

  • If you reset your own password, it will not be marked as temporary in Oracle Retail Xstore Office.

  • If you (the administrator) manually reset another user's password, it will be marked as temporary in Oracle Retail Xstore Office and the user must change it during the next login.

  1. From the Oracle Retail Xstore Office menu, select System - Xadmin Users, or click the Xadmin Users link in the System panel.

  2. At the Xadmin Users page, click Users and Security Access.

  3. At the Users and Security Access page, select a user account from the list.

  4. Click the Reset Password link.

  5. When prompted, verify the user account and email address are correct, then click Yes to continue.

    Note:

    If the user does not have an email address on record, you will be prompted whether or not to continue. Click No to return to the Edit User page and enter an email address, or click Yes to continue without generating an email for the user.

  6. The password is reset based on the configured password method, either the static (universal) password or the algorithm password. An email is generated and sent to the Oracle Retail Xstore Office user with the details.

LDAP Authentication

LDAP Authentication allows users to log into Oracle Retail Xstore Office using a single sign-on where one password for a user is shared between many services. This feature uses LDAP (Lightweight Directory Access Protocol) and Microsoft's AD (Active Directory) repository to manage the user ID and password access to the application.

Note:

LDAP is used for authentication to Oracle Retail Xstore Office, but the user information must be set up in the Oracle Retail Xstore Office database for the users to access the application.

Assumptions and Requirements for LDAP Users

  • LDAP - managed users do not have the ability to manage their passwords from within Oracle Retail Xstore Office, or the ability to use password reset or password change functionality.

  • A single LDAP server must be configured for the Oracle Retail Xstore Office instance. Multiple LDAP authentication servers are not supported.

  • Account locking (for example, after "X" login attempts) and unlocking is not available through Oracle Retail Xstore Office. It may be available through the LDAP server.

Additional Details for LDAP Authentication

  • The server must be a domain controller, for example, ldap://localhost:389.

  • Add a user in the Active Directory Users and Computers section of the Server Manager. For example, add the user to the folder Client Services of the main branch.

  • When setting up the user, the password entered, is the same password for logging on to Oracle Retail Xstore Office with this user.

Oracle Retail Xstore Office LDAP Settings

LDAP Authentication settings are configured in System - Xadmin Settings - User Account category.

Default Domain Name for LDAP - The default domain name to be used when authenticating users using LDAP.

Enable LDAP Authentication Option? - The configuration used to enable Oracle Retail Xstore Office to authenticate users using LDAP directory.

LDAP Provider URL - The URL to be used to connect to LDAP server.